eCrime Summit

eCrime '07

October 4-5, 2007
Pittsburgh, PA

Call for participation
Program
Registration

eCrime home
eCrime '06



Carnegie Mellon CyLab

CERT Network Situational Awareness Group

PGP Corporation

 

The following program is subject to change.

Wednesday, October 3

Participants in the eCrime Researchers Summit and the General Members Meeting are invited to the APWG eCrime reception at Carnegie Mellon University on the evening of Wednesday, October 3 at 7:30 PM.

Join us for a dinner buffet, drinks, and an eCrime cabaret performance.

Thursday, October 4

8:00 am

Registration and Breakfast
 
 

9:00 am

Welcome and Keynote

Gary McGraw, Cigital - Exploiting Online Games
 

10:15 am

Break
 
 

10:45 am

Refereed Paper Presentations:

EXAMINING THE IMPACT OF WEBSITE TAKE-DOWN ON PHISHING
Tyler Moore and Richard Clayton

FISHING FOR PHISHES: APPLYING CAPTURE-RECAPTURE TO PHISHING
Rhiannon Weaver and Michael Collins
 

Session Chair:
Alessandro Acquisti
 

12:00 pm

Lunch
 
 

1:00 pm

Panel:
From Research to Reality: What Does it Take to Get our Technology Solutions Adopted?

The research community has come up with a variety of innovative ideas for combatting eCrime, but few of these ideas are ever adopted. Sometimes technology that works great in the research lab is too expensive or infeasible to implement in a large scale production environment. Sometimes new technology requires businesses to make too many changes to their IT infrastructure or introduces too many new risks. Often, concerns about potential harm to customer relationships or increases in customer support costs can hamper adoption. This panel will focus on the needs and requirements companies have for multi-factor authentication, mutual authentication, and anti-phishing tools.
 

 
Moderator:

Dan Geer
VP and Chief Scientist, Verdasys

Panelists:
Jon Callas

CTO/CSO
PGP Corporation

Dan Schutzer
FSTC

Cormac Herley
Microsoft Research

Mike Aisenberg
EWA Information and Infrastructure
Technologies
 

2:30 pm

CERT Network Situational Awareness Group

Report out and Panel
Uncleanliness: Quantifying network reputation
 

Moderator/Speakers:
Tim Shimeall
CERT/NetSA

Markus De Shon

CERT/NetSA

Panelists:
Sid Faber

CERT/NetSA

Rhiannon Weaver
CERT/NetSA

Mike Collins
CERT/NetSA

Jeff Janies
CERT/NetSA
 

3:30 pm

Break
 
 

4:00 pm

Refereed Paper Presentations:

EVALUATING A TRIAL DEPLOYMENT OF PASSWORD RE-USE FOR PHISHING PREVENTION
Dinei Florencio and Cormac Herley

BEHAVIORAL RESPONSE TO PHISHING RISK
Julie S. Downs, Mandy B. Holbrook and Lorrie Faith Cranor
 

Session Chair:
Norman Sadeh
 

5:15 pm

Break
 
 

6:30 pm

Poster Presentations
 
 

7:30 pm

Bowling for eCriminals with the APWG eCrime-Fighters

Join the APWG eCrime-Fighters for sustenance and bowling. Immediately following the Poster Presentations, we will serve drinks and munchies as we host the APWG Bowling Tournament of eCrime Experts.

Prizes for best team and individual score will be awarded.
 


 

 

Friday, Oct 5

8:00 am

Breakfast
 
 

9:00 am

Refereed Paper Presentations

FIGHTING OBFUSCATED SPAM
Changwei Liu and Sid Stamm

A COMPARISON OF MACHINE LEARNING TECHNIQUES FOR PHISHING DETECTION
Saeed Abu-Nimeh, Dario Nappa, Xinlei Wang and Suku Nair

GETTING USERS TO PAY ATTENTION TO ANTI-PHISHING EDUCATION: EVALUATION OF RETENTION AND TRANSFER
Ponnurangam Kumaraguru, Yong Rhee, Steve Sheng, Sharique Hasan, Alessandro Acquisti, Lorrie Cranor and Jason Hong
 

Session Chair:
Rachna Dhamija
 

 

10:45 am

Break
 
 

11:15 am

Panel:
Does User Education Work?

When currently available technology cannot fully address security threats, the security community often turns to user education to help fill in the gaps. We've tried to educate users to install the latest security updates, not to open dangerous attachments, not to trust phishy emails, and a number of other security lessons. While education efforts continue, some people argue that user education is ultimately a losing proposition because it is largely ineffective and might actually be counter productive. Furthermore, in order to be effective, user training needs to keep up with ever-changing security threats. In this panel we will examine some approaches to anti-phishing education and some of the studies that measure their effectiveness. We will address the question of whether user education can ever really work, and if so, under what circumstances. When is user education appropriate? How can it be done most effectively? What things can/should we teach users? What things are we better off not teaching users? When should we give up on user education entirely?
 
 

 
Moderator:

Susanne Wetzel
Stevens Institute of Technology

Panelists:
Lorrie Cranor

Carnegie Mellon University

Richard A Parry
Consumer Risk Management
JPMorganChase

Markus Jakobsson
Indiana University

Aaron Emigh
Radix Labs
 

12:45 pm

LUNCH
 
 

1:45 pm

Panel:
Political Phishing - A Threat to the 2008 Campaign?

To date, most phishing attacks use the guise of an email from a financial institution to fool their victims. Onwards, we may see emails looking like political campaign messages, asking for contributions and information. Politics has already become a topic for fraudsters, and there are lots of typo squatters that use domain names similar to campaigning websites to ridicule candidates or profit from advertisements. It is also possible for attackers to use the Internet to sow misinformation aimed at lowering voter turnout among targeted groups or make voters misunderstand the issues and priorities. Political parties may be able to learn a lot from financial institutions regarding how to best protect their interests, and technical service providers may find an important new problem to address.
 

 
Moderator:

Oliver Friedrichs
Symantec

Panelists:
Rachna Dhamija

Harvard University

Chris Soghoian
Indiana University

Celeste Taylor
People For the American Way
 

3:15 pm

Closing Remarks
 
 
pixel 

Keynote talk

Gary McGraw, Cigital
Exploiting Online Games

This talk (based on a book of the same title co-authored by Greg Hoglund) frankly describes controversial security issues surrounding MMORPGs such as World of Warcraft. This no-holds-barred approach is fully loaded with code examples, debuggers, bots, and hacks. If you are a gamer, a game developer, a software security person or an interested bystander, this book exposes the inner workings of online game security for all to see. In the talk, I will cover:

  • Why online games are a harbinger of software security issues to come
  • How millions of gamers have created billion dollar virtual economies
  • How game companies invade your privacy
  • Why some gamers cheat
  • Techniques for breaking online game security
  • How to build a bot to play a game for you
  • Methods for total conversion and advanced mods

Ultimately, this talk is mostly about security problems associated with advanced massively distributed software. With hundreds of thousands of interacting users, today's online games are a bellwether of modern software yet to come. The kinds of attack and defense techniques I describe are tomorrow's security techniques on display today.

Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of six best selling books on this topic. The latest, Software Security: Building Security In was released in 2006, with Exploiting Online Games slated for release this year. His other titles include Java Security, Building Secure Software, and Exploiting Software; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 90 peer-reviewed scientific publications, authors a monthly security column for darkreading.com, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary is an IEEE Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine.

Accepted posters

PAKE-based mutual HTTP authentication for preventing phishing attacks
Yutaka Oiwa, Hiromitsu Takagi, Hajime Watanabe and Hideki Imai

Crimeware-Resistant Authentication
Markus Jakobsson, Susanne Wetzel, Liu Yang and Erik Stolterman

Helping Users Protect Themselves from e-Criminals in Click-Based Graphical Passwords
Alain Forget, Sonia Chiasson and Robert Biddle

A Usability Study on the Net Trust Anti-Fraud Toolbar
Farzaneh Asgharpour, Alex Tsow, Preeti Hariharan and L. Jean Camp

Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic
Ricardo Villamarin-Salomon and Jose' Brustoloni

Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish
Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Cranor, Jason Hong and Elizabeth Nunge

CANTINA: A content based approach to detecting phishing websites
Yue Zhang, Lorrie Cranor, Jason Hong, Serge Egelman and Steve Sheng

You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings
Serge Egelman, Lorrie Cranor and Jason Hong

Phoolproof Phishing Prevention
Bryan Parno, Cynthia Kuo, Adrian Perrig

The My Secure Cyberspace Portal
Anna Maria Berta, Ann Ritchie, John Dolan, Dena Haritos Tsamitis

Detecting Phishing Emails Through Machine Learning Techniques Using Specialized Feature Set
Ian Fette, Patrick Kelley, Norman Sadeh, Anthony Tomasic, Umut Topkara